Enable -XX:[+|-]CRIUSecProvider JVM option

Whenever we are performing a checkpoint this is typically done by enabling -XX:+EnableCRIUSupport. It will remove all the security providers and the CRIUSecProvider is inserted to the runtime enviroment. This provides a more locked down approach to what cryptography is allowed while taking a checkpoint. Therefore, this new flag is introduced by passing it after -XX:+EnableCRIUSupport is enabled. When this option is used, we no longer make use of CRIUSecProvider and instead use normal provider loading to enable all security algorithms in an out of the box state. This can allow users to make use of any algorithms in the various providers available.
eclipse-openj9 · Dec 11, 2023 · 597da37 · 597da37
1 parent c46aaaa
commit 597da37
Show file tree

Hide file tree

Showing 12 changed files with 84 additions and 5 deletions.
diff --git a/jcl/src/java.base/share/classes/openj9/internal/criu/InternalCRIUSupport.java b/jcl/src/java.base/share/classes/openj9/internal/criu/InternalCRIUSupport.java
@@ -25,17 +25,15 @@
 /**
  * Internal CRIU Support API
  */
-/*[IF JAVA_SPEC_VERSION >= 17]*/
-@SuppressWarnings({ "deprecation", "removal" })
-/*[ENDIF] JAVA_SPEC_VERSION >= 17 */
 public final class InternalCRIUSupport {
 	private static final boolean criuSupportEnabled = isCRIUSupportEnabledImpl();
 	private static long checkpointRestoreNanoTimeDelta;
 
-	private static native boolean isCRIUSupportEnabledImpl();
-	private static native boolean isCheckpointAllowedImpl();
+	private static native boolean enableCRIUSecProviderImpl();
 	private static native long getCheckpointRestoreNanoTimeDeltaImpl();
 	private static native long getLastRestoreTimeImpl();
+	private static native boolean isCRIUSupportEnabledImpl();
+	private static native boolean isCheckpointAllowedImpl();
 
 	/**
 	 * Retrieve the elapsed time between Checkpoint and Restore.
@@ -70,6 +68,20 @@ public synchronized static boolean isCRIUSupportEnabled() {
 		return criuSupportEnabled;
 	}
 
+	/**
+	 * Checks if CRIU Security provider is enabled
+	 * when CRIU support is enabled.
+	 *
+	 * @return true if enabled, otherwise false
+	 */
+	public static boolean enableCRIUSecProvider() {
+		boolean isCRIUSecProviderEnabled = false;
+		if (criuSupportEnabled) {
+			isCRIUSecProviderEnabled = enableCRIUSecProviderImpl();
+		}
+		return isCRIUSecProviderEnabled;
+	}
+
 	/**
 	 * Queries if CRIU Checkpoint is allowed.
 	 * isCRIUSupportEnabled() is invoked first to check if CRIU support is enabled,

diff --git a/jcl/src/openj9.criu/share/classes/org/eclipse/openj9/criu/CRIUSupport.java b/jcl/src/openj9.criu/share/classes/org/eclipse/openj9/criu/CRIUSupport.java
@@ -203,6 +203,17 @@ public static boolean isCRIUSupportEnabled() {
 		return (nativeLoaded && InternalCRIUSupport.isCRIUSupportEnabled());
 	}
 
+	/**
+	 * Checks if the CRIUSecProvider is enabled when CRIU
+	 * checkpoints are allowed (checks whether -XX:-CRIUSecProvider
+	 * has been specified).
+	 *
+	 * @return true if CRIUSecProvider is enabled, otherwise false
+	 */
+	public static boolean enableCRIUSecProvider() {
+		return InternalCRIUSupport.enableCRIUSecProvider();
+	}
+
 	/**
 	 * Queries if CRIU Checkpoint is allowed. With -XX:+CRIURestoreNonPortableMode enabled
 	 * (default policy) only a single checkpoint is allowed.

diff --git a/runtime/jcl/common/criu.cpp b/runtime/jcl/common/criu.cpp
@@ -71,5 +71,18 @@ Java_openj9_internal_criu_InternalCRIUSupport_isCRIUSupportEnabledImpl(JNIEnv *e
 
 	return res;
 }
+
+jboolean JNICALL
+Java_openj9_internal_criu_InternalCRIUSupport_enableCRIUSecProviderImpl(JNIEnv *env, jclass unused)
+{
+	J9VMThread *currentThread = (J9VMThread *)env;
+	jboolean res = JNI_FALSE;
+
+	if (currentThread->javaVM->internalVMFunctions->enableCRIUSecProvider(currentThread)) {
+		res = JNI_TRUE;
+	}
+
+	return res;
+}
 #endif /* defined(J9VM_OPT_CRIU_SUPPORT) */
 }
diff --git a/runtime/jcl/exports.cmake b/runtime/jcl/exports.cmake
@@ -670,6 +670,7 @@ endif()
 # J9VM_OPT_CRIU_SUPPORT
 if(J9VM_OPT_CRIU_SUPPORT)
 	omr_add_exports(jclse
+		Java_openj9_internal_criu_InternalCRIUSupport_enableCRIUSecProviderImpl
 		Java_openj9_internal_criu_InternalCRIUSupport_getCheckpointRestoreNanoTimeDeltaImpl
 		Java_openj9_internal_criu_InternalCRIUSupport_getLastRestoreTimeImpl
 		Java_openj9_internal_criu_InternalCRIUSupport_isCheckpointAllowedImpl

diff --git a/runtime/jcl/uma/criu_exports.xml b/runtime/jcl/uma/criu_exports.xml
@@ -20,6 +20,7 @@ OpenJDK Assembly Exception [2].
 SPDX-License-Identifier: EPL-2.0 OR Apache-2.0 OR GPL-2.0-only WITH Classpath-exception-2.0 OR GPL-2.0-only WITH OpenJDK-assembly-exception-1.0
 -->
 <exports group="criu">
+	<export name="Java_openj9_internal_criu_InternalCRIUSupport_enableCRIUSecProviderImpl" />
 	<export name="Java_openj9_internal_criu_InternalCRIUSupport_getCheckpointRestoreNanoTimeDeltaImpl" />
 	<export name="Java_openj9_internal_criu_InternalCRIUSupport_getLastRestoreTimeImpl" />
 	<export name="Java_openj9_internal_criu_InternalCRIUSupport_isCheckpointAllowedImpl" />

diff --git a/runtime/oti/j9nonbuilder.h b/runtime/oti/j9nonbuilder.h
@@ -4205,6 +4205,7 @@ typedef struct J9DelayedLockingOpertionsRecord {
 #define J9VM_CRIU_IS_JDWP_ENABLED 0x8
 #define J9VM_CRIU_IS_THROW_ON_DELAYED_CHECKPOINT_ENABLED 0x10
 #define J9VM_CRIU_IS_PORTABLE_JVM_RESTORE_MODE 0x20
+#define J9VM_CRIU_ENABLE_CRIU_SEC_PROVIDER 0x40
 
 typedef struct J9CRIUCheckpointState {
 	U_32 flags;
@@ -5026,6 +5027,7 @@ typedef struct J9InternalVMFunctions {
 	BOOLEAN (*jvmRestoreHooks)(struct J9VMThread *currentThread);
 	BOOLEAN (*isCRIUSupportEnabled)(struct J9VMThread *currentThread);
 	BOOLEAN (*isCRIUSupportEnabled_VM)(struct J9JavaVM *vm);
+	BOOLEAN (*enableCRIUSecProvider)(struct J9VMThread *currentThread);
 	BOOLEAN (*isCheckpointAllowed)(struct J9VMThread *currentThread);
 	BOOLEAN (*isNonPortableRestoreMode)(struct J9VMThread *currentThread);
 	BOOLEAN (*isJVMInPortableRestoreMode)(struct J9VMThread *currentThread);

diff --git a/runtime/oti/jclprots.h b/runtime/oti/jclprots.h
@@ -1292,6 +1292,9 @@ Java_jdk_internal_misc_ScopedMemoryAccess_closeScope0(JNIEnv *env, jobject insta
 
 #if defined(J9VM_OPT_CRIU_SUPPORT)
 /* criu.cpp */
+jboolean JNICALL
+Java_openj9_internal_criu_InternalCRIUSupport_enableCRIUSecProviderImpl(JNIEnv *env, jclass unused);
+
 jlong JNICALL
 Java_openj9_internal_criu_InternalCRIUSupport_getCheckpointRestoreNanoTimeDeltaImpl(JNIEnv *env, jclass unused);
 

diff --git a/runtime/oti/jvminit.h b/runtime/oti/jvminit.h
@@ -424,6 +424,8 @@ enum INIT_STAGE {
 #if defined(J9VM_OPT_CRIU_SUPPORT)
 #define VMOPT_XXENABLECRIU "-XX:+EnableCRIUSupport"
 #define VMOPT_XXDISABLECRIU "-XX:-EnableCRIUSupport"
+#define VMOPT_XXENABLECRIUSECPROVIDER "-XX:+CRIUSecProvider"
+#define VMOPT_XXDISABLECRIUSECPROVIDER "-XX:-CRIUSecProvider"
 #define VMOPT_XXENABLECRIUNONPORTABLEMODE "-XX:+CRIURestoreNonPortableMode"
 #define VMOPT_XXDISABLECRIUNONPORTABLEMODE "-XX:-CRIURestoreNonPortableMode"
 #define VMOPT_XXENABLEJVMRESTOREPORTABLEMODE "-XX:+JVMPortableRestoreMode"

diff --git a/runtime/oti/vm_api.h b/runtime/oti/vm_api.h
@@ -517,6 +517,17 @@ isCRIUSupportEnabled(J9VMThread *currentThread);
 BOOLEAN
 isCRIUSupportEnabled_VM(J9JavaVM *vm);
 
+/**
+ * @brief Checks if the CRIU security provider is enabled when CRIU
+ * checkpoints are allowed. By default it is enabled, it can be disabled with
+ * -XX:-CRIUSecProvider.
+ *
+ * @param currentThread vmthread token
+ * @return TRUE if enabled, FALSE otherwise
+ */
+BOOLEAN
+enableCRIUSecProvider(J9VMThread *currentThread);
+
 /**
  * @brief Queries if checkpointing is permitted. Note, when
  * -XX:+CRIURestoreNonPortableMode option is specified checkpointing

diff --git a/runtime/vm/CRIUHelpers.cpp b/runtime/vm/CRIUHelpers.cpp
@@ -128,6 +128,18 @@ isCheckpointAllowed(J9VMThread *currentThread)
 	return result;
 }
 
+BOOLEAN
+enableCRIUSecProvider(J9VMThread *currentThread)
+{
+	BOOLEAN result = FALSE;
+
+	if (isCRIUSupportEnabled(currentThread)) {
+		result = J9_ARE_ANY_BITS_SET(currentThread->javaVM->checkpointState.flags, J9VM_CRIU_ENABLE_CRIU_SEC_PROVIDER);
+	}
+
+	return result;
+}
+
 BOOLEAN
 isNonPortableRestoreMode(J9VMThread *currentThread)
 {

diff --git a/runtime/vm/intfunc.c b/runtime/vm/intfunc.c
@@ -409,6 +409,7 @@ J9InternalVMFunctions J9InternalFunctions = {
 	jvmRestoreHooks,
 	isCRIUSupportEnabled,
 	isCRIUSupportEnabled_VM,
+	enableCRIUSecProvider,
 	isCheckpointAllowed,
 	isNonPortableRestoreMode,
 	isJVMInPortableRestoreMode,

diff --git a/runtime/vm/jvminit.c b/runtime/vm/jvminit.c
@@ -3916,6 +3916,16 @@ processVMArgsFromFirstToLast(J9JavaVM * vm)
 		}
 	}
 
+	{
+		IDATA enableCRIUSecProvider = FIND_AND_CONSUME_VMARG(EXACT_MATCH, VMOPT_XXENABLECRIUSECPROVIDER, NULL);
+		IDATA disableCRIUSecProvider = FIND_AND_CONSUME_VMARG(EXACT_MATCH, VMOPT_XXDISABLECRIUSECPROVIDER, NULL);
+		if (enableCRIUSecProvider >= disableCRIUSecProvider) {
+			if (J9_ARE_ANY_BITS_SET(vm->checkpointState.flags, J9VM_CRIU_IS_CHECKPOINT_ENABLED)) {
+				vm->checkpointState.flags |= J9VM_CRIU_ENABLE_CRIU_SEC_PROVIDER;
+			}
+		}
+	}
+
 	{
 		IDATA enableCRIUNonPortableMode = FIND_AND_CONSUME_VMARG(EXACT_MATCH, VMOPT_XXENABLECRIUNONPORTABLEMODE, NULL);
 		IDATA disableCRIUNonPortableMode = FIND_AND_CONSUME_VMARG(EXACT_MATCH, VMOPT_XXDISABLECRIUNONPORTABLEMODE, NULL);